in many respects mirrors the initiatives taken by India in it’s document on framework of cyber security.

A document issued by security brass of the country, which was reviewed by ET, cites at least 12 instances where the US order mirrors India’s cyber security framework that was drafted in 2011. These include setting out a cyber security policy, defining critical infrastructure, information sharing between departments and protection of civil liberties.

Reading this, two things jump out – the insecurity that this claim projects and the fact that frameworks and plans like these are not even worth the cost of paper it is written on [1] if it is not put to practise. Given that the GoI’s National Cyber Security Policy (Draft PDF) wants the CERT-IN to

act as a nodal agency and co-ordinate all matters related to information security in the country

we shouldn’t expect getting out of this self-dug pit any time soon.

[1] Yup, I said “paper” because, you know what, a lot of GoI reports and documents are scans of printed documents!

Another week and it seems it is time for another “cyber security policy” from a GoI body. This time it seems to be the National Security Council Secretariat (NCSC), which has reportedly

come up with a comprehensive cyber security policy for upgrading the security of systems and preventing them from being hacked, attacked with malware, or intruded upon by hostile entities.

Details are sketchy, which is not a surprise. Only Hindustan Times is reporting the story and what they say is

the plan has three components that demarcate task and authority. The existing Indian Computer Emergency Response Team (CERT-IN) will be tasked to handle the commercial aspects of cyber security, including 24×7 proactive responses to hackers, cyber-attacks, intrusions and restoration of affected systems.

The second aspect of the cyber plan is the creation of a technical-professional body that certifies the security of a network to ensure the overall health of government systems. While NSCS is advocating that initially the certification of networks could be done by private agencies, the long term plan is to create a technical body of professionals, all under 40, who will form the backbone of Indian cyber security.

The third aspect of the plan is cyber defence of critical infrastructure networks that are vulnerable to hostile foreign governments or proxy entities.

This seems eerily similar to the Ministry of Information’s “National Cyber Security Policy” Discussion Draft (pdf) that was issued around this time last year. We at Takshashila had responded (pdf) to that earlier invitation for comments and from the looks of it the issues raised then still plague this policy too.

(3) Orphan Policy. Cyber security cannot be considered in a silo. Cyber security – the business of safeguarding a country’s networking and technology infrastructure, and electronic information – is a subset of national security and a cyber security policy must be congruent to a national security policy. However, as India does not have a national security policy, the cyber security policy identiﬁed in the draft is effectively a “policy orphan.” As a result, signiﬁcant gaps could exist between this policy document and what different ministries, departments and agencies assume might be India’s national security goals and priorities. While we agree that this is not something that can be remedied at one go, the orphaned nature of the cyber security policy should be recognised and its implication studied and understood.

The Department of Information Technology, Government of India issued a discussion draft on National Cyber Security Policy (pdf) on 26th March 2011 and invited comments on it. In our opinion this draft of the national policy is a considerable initial step and the government should be commended for being attuned to the threats and challenges facing the management of cyberspace and taking steps to address them. We feel that the document substantially addresses several areas and processes related to cyber security, particularly incident response, vulnerability management and infrastructure security.

However, we have identified some areas of improvement, including scope, ownership, resource allocation and management, technical and non-technical controls, which we present for the government’s consideration. This Takshashila policy advisory document (pdf) provides comments and feedback on the draft.

Feel free to provide your input on the original discussion draft or our response to it, in the comment section below.

Iran has been targeted by a second computer virus in a “cyber war” waged by its enemies, its commander of civil defense said on Monday. Gholamreza Jalali told the semi-official Mehr news agency that the new virus, called “Stars,” was being investigated by experts.

“Fortunately, our young experts have been able to discover this virus and the Stars virus is now in the laboratory for more investigations,” Jalali was quoted as saying. He did not specify the target of Stars or its intended impact.

“The particular characteristics of the Stars virus have been discovered,” Jalali said. “The virus is congruous and harmonious with the (computer) system and in the initial phase it does minor damage and might be mistaken for some executive files of government organisations.”

While it is interesting to figure out what “congruous and harmonious with the system” actually means, even more interesting is what kind of mischief someone in this position can conjure up and blame it on “clear and present danger to critical national infrastructure”. Many believe that Iran was successfully targeted by the Stuxnet worm. Given this history, how many would fault Iran if it decides to “hunt down” machines/entities that are helping spread this new virus against it? Will such a strategy be acceptable by the world at large? Would the US or China or for that matter India be able to use similar logic to implement an active defense strategy? How can the international community verify Iran’s claims?

Secrecy of Cyber Threats Said to Cause Complacency? Oh please! First of all, ignorance or unawareness is not the same as complacency. Furthermore, while the bill concerned, Cyber Security Public Awareness Act, is itself a boon, especially for researchers as well as those who want to hold the government accountable, the central theme of the article‘s rhetoric that the awareness among population is low because the attacks on critical infrastructure and government networks are classified just doesn’t add up. Give the high rate of identity theft, a lot of which has cyber-related cause and the huge amount of existing press on the matter of cyber attacks (China is the new USSR), it is not the lack of information that is preventing the spread of “awareness” (read hysteria). More likely is a combination of:

Bigger things to worry about, economy comes to mind

Cognitive disconnect between report of incident, its impact and relevance to oneself

Knowledge that recent over-the-top war mongering is a part of an elaborate scheme to get more federal budget

Countries who want to block certain new IANA TLD’s (and here I’m thinking of .XXX) could do this in-country and force alignment by mandating the use of that country’s DNS system by all in-country ISP’s and enterprises and end users. But even as much chaos as this would create, it’s still not the worst outcome from COICA.

My greatest worry is what people will do to bypass all this junk or to prevent other people from bypassing it. My fellow humans are a proud and occasionally adversarial bunch and they don’t like being told what they can’t do or what they have to do. The things we’ll all be doing to bypass the local DNS restrictions imposed by our coffee shops or our governments or our ISPs will break everything. Where this ends is with questions like “which DNS system are you using?” and “which DNS systems is your TLD in?” which in other words means that where this ends is a world without universal naming. We adopted DNS to get universal naming, and today we have universal naming except inside Network Address Translation (NAT) borders. Universal naming is one of the reasons for the Internet’s success and dominance. If we’re going to start doing stuff like COICA then we should have stuck with a “hosts file” on every Internet connected computer and let every connected device decide for itself what names it recognized.

The Internet Corporation for Assigned Names and Numbers (ICANN), the body responsible for the management of the top-level domain name space, recently approved the establishment of the top-level domain (TLD) “.xxx” as a sponsored TLD. The domain is currently intended as a (voluntary) option for pornographic sites. The Indian government, or at least one of its officials, promptly threatened to exercise its censorship scissors by declaring the intention to block access to .xxx domains:

“India along with many other countries from the Middle East and Indonesia opposed the grant of the domain in the first place, and we would proceed to block the whole domain, as it goes against the IT Act and Indian laws,” said a senior official at the ministry of IT. “Though some people have said that segregation is better, and some countries allow it. But for other nations transmission and direct distribution of such content goes against their moral and culture,” he added.

There seems to be nothing official about the statement, other than that it was uttered by “a senior official at the ministry of IT” but it wouldn’t be surprising that this is indeed the stand of the ministry on this matter, especially if precedence is considered.

The Information Technology (Amendment) Act, 2008 that the official mentions, defines the prohibition on “lascivious” and “sexually explicit” in Chapter Paragraphs 67 and 67 A as:

67. Whoever publishes or transmits or causes to be published or transmitted in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description fora term which may extend to three years and with fine which may extend to five lakhrupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to five years and also with fine which may extend to ten lakh rupees.

67 A Whoever publishes or transmits or causes to be published or transmitted in the electronic form any material which contains sexually explicit act or conduct shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to ten lakh rupees andin the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees.

Not surprisingly, the Act does not define or clarify as to what constitutes transmission and publishing but what is interesting is that paragraph 69 provides the intermediaries (like ISPs) protection from liability (up to an extent) of the content it is carrying. This means that as long as the .xxx domains are hosted outside India, by organisations without a presence in India, there doesn’t seem to be any automatic way for the block to be set in place unless the provisions in paragraph 69 A are exercised by the government:

69A. (1) Where the Central Government or any of its officer specially authorised by it in this behalf is satisfied that it is necessary or expedient so to do in the interest of sovereigntyand integrity of India, defence of India, security of the State, friendly relations with foreignStates or public order or for preventing incitement to the commission of any cognizableoffence relating to above, it may subject to the provisions of sub-section (2), for reasons tobe recorded in writing, by order, direct any agency of the Government or intermediary toblock for access by the public or cause to be blocked for access by the public any informationgenerated, transmitted, received, stored or hosted in any computer resource.

Given that the most likely interpretation of paragraph 67 does not make it a crime to view (not transmit or publish) pornography online, the stage is set for a good tussle between the government and those who object to the moral policing by the government. Also interesting is the attitude of the government to non-.xxx domains that host pornographic material. The use of .xxx domains is voluntary and it is unlikely that pornographic content will be confined to the sTLD. So far the government has not actively blocked every pornographic content online, so a question that someone wanting to question the .xxx block could ask, is why they are being singled out.

Those who have been following the saga of the .xxx TLD application within ICANN would remember the warning provided by the Governmental Advisory Committee (GAC) of ICANN when they stated in their San Francisco Communique (pdf):

the GAC would like to inform the ICANN Board that an introduction of a .xxx TLD into the root might lead to steps taken by some governments to prohibit access to this TLD. The GAC therefore calls the Board’s attention to concerns expressed by experts that such steps bear a potential risk/threat to the universal resolvability and stability of the DNS.

The GAC must be doing the “We told you so!” dance. Blocking/filtering exists at various scales and at various levels though most do not happen at the DNS level. Given that blocking of the .xxx domain will most likely involve a DNS level block and the history of incorrectly implementing blocks and filters by Indian ISPs, it is not far-fetched to be alarmed that the stability of the DNS is threatened, as pointed out by the GAC. What would of course follow is a cat and mouse game between technically savvy users would try and consider ways to circumvent the block (there are several ways based on how the blockis implemented) and the government/ISPs that tries to prevent “depravation and corruption”.

US President Barack Obama announced last year that America’s digital infrastructure is a “strategic national asset,” and set up a new Cyber Command headed by the director of the National Security Agency, signaling the importance of cyberpower in a nation’s internal and foreign policy. “Cyberpower and National Security” is one of the most comprehensive and scholarly books available on the topic of cyberpower.

The book is divided into six broad sections. The first three chapters form the foundation section that aims to identify and discuss major policy issues and formulate a preliminary theory of cyberpower. Chapter 1 looks at the key policy issues, categorizing them into structural and geopolitical. Chapter 2 establishes a common vocabulary for the cyber domain, with definitions for key concepts of cyberspace, cyberpower, and cyber strategy. Chapter 3 presents the initial theory of cyberpower.

Chapters 4 to 9 form the second section, “Cyberspace.” Chapter 4 looks at structural elements that constitute cyberspace, while chapter 5 identifies vulnerabilities affecting the critical national infrastructure of the US, including power grids, communication systems, and cyberspace infrastructure. In chapter 6, the authors look at trends in cyberspace: proliferation of broadband, the move to Internet protocol, version 6 (IPv6), increasing software complexity, the rise of online communities, and so on. Chapter 7 looks at the information security issues affecting the Internet, both on a small and large scale. Chapter 8 raises several policy issues that the authors think are relevant to the future of cyberspace, including security, identity, and location-aware computing, while chapter 9 explores the biotech revolution and the blurring of lines between humans and technology.

Section 3, “Military Use and Deterrence,” consists of four chapters. Chapter 10 looks at environmental power theories, compares them to cyberpower, and comes up with common features. Chapter 11 considers the question of whether networking operators do indeed improve operational effectiveness. Chapter 12 provides an overview of the cyberspace and cyberpower initiatives undertaken by the military, and chapter 13 looks at the contentious issue of the deterrence of cyber attacks.

The chapters in section 4, “Information,” look at the power of information and its role in the military and government. Chapter 14 examines the strategic influence of cyberspace information on international security. Chapter 15 explores the challenges associated with influence operations at the tactical level, while chapter 16 looks at the related issue of how information and communication technology and strategy can influence stability operations. This topic is further pursued in chapter 17, which analyzes various policy and institutional activities.

Section 5, composed of three chapters, looks at the way cyberpower can empower nations, terrorists, and criminals. Chapter 18 considers the way crime has advanced in cyberspace, especially the use of cyberspace by organized crime to further their agenda. Chapter 19 tries to scope the term “cyber terrorism,” and considers the debated question of whether it exists or is just a myth. Chapter 20 looks at the use of cyberspace by China and Russia.

In the last section, chapter 21 looks at the complex and sensitive issue of Internet governance and how the US can achieve “Internet influence” in the face of pressure from other nations. Chapter 22 discusses legal issues associated with cyber warfare, particularly two classes of problems: lawful resort to force and use of force in wartime. Chapter 23 provides a critical assessment of the US federal efforts to protect critical infrastructure. The last chapter pushes for setting up a Cyber Policy Council to provide a structured solution to some of the vexing problems in the area.

Compared to other books on the topic [1,2], this book is very detailed and theoretical in its coverage. Given its comprehensive coverage, it should be read and digested by those who have more than a passing interest in cyberpower and cyber strategies but with a liking for a more scholarly treatment of the problem space.

1)

Carr, J. Inside cyber warfare. O’Reilly, Sebastopol, CA, 2009.

2)

Clarke, R.A.; Knake, R. Cyber war: the next threat to national security and what to do about it. Ecco, New York, NY, 2010.